Upload
cameroon45
View
597
Download
2
Embed Size (px)
DESCRIPTION
Citation preview
BOEING is a trademark of Boeing Management Company.Copyright © 2005 Boeing. All rights reserved.
What Hath Vint Wrought: Responding to the UnintendedConsequences of Globalization
Steve WhitlockChief Security ArchitectInformation Protection & AssuranceThe Boeing Company
Copyright © 2005 Boeing. All rights reserved.
Prehistoric E-Business
Copyright © 2005 Boeing. All rights reserved.
Employees moved out…
Copyright © 2005 Boeing. All rights reserved.
Associates moved in…
Copyright © 2005 Boeing. All rights reserved.
The Globalization Effect
is physically located inside ‘s perimeter and needs access to and
is physically located inside ‘s perimeter and needs access to and
’s application needs access to ’s application which needs access to ’s application
’s application needs access to ’s application which needs access to ’s application
is located physically outside ’s perimeter and need access to
is located physically outside ’s perimeter and need access to
is located physically inside ’s perimeter and need access to
is located physically inside ’s perimeter and need access to
Copyright © 2005 Boeing. All rights reserved.
Deperimeterization
Deperimeterization…… is not a security strategy… is a consequence of globalization by cooperating enterprises
Specifically Inter-enterprise access to complex applications Virtualization of employee location On site access for non employees Direct access from external applications to internal application and data
resources Enterprise to enterprise web services
The current security approach will change: Reinforce the Defense-In-Depth and Least Privilege security principles Perimeter security emphasis will shift towards supporting resource availability Access controls will move towards resources Data will be protected independent of location
Copyright © 2005 Boeing. All rights reserved.
Restoring Layered Services
Infrastructure Services
PEP
Network Services Security Services Other Services
DNS
Directory
DHCP Identity / Authentication
Authorization / Audit Print
Systems Management
Voice
P E P
Virtual Data CenterVirtual Data Center
PEP
Routing
Copyright © 2005 Boeing. All rights reserved.
Defense Layer 1: Network Boundary
PEP
An externally facing policy enforcement point demarks a thin perimeter between outside and inside and provides these services:
Legal and Regulatory Provide a legal entrance for enterprise Provide notice to users that they are entering a private network domain Provide brand protection Enterprise dictates the terms of use Enterprise has legal recourse for trespassers
Availability Filter unwanted network noise Block spam, viruses, and probes Preserve bandwidth, for corporate business Preserve access to unauthenticated but authorized
information (e.g. public web site)
An externally facing policy enforcement point demarks a thin perimeter between outside and inside and provides these services:
Legal and Regulatory Provide a legal entrance for enterprise Provide notice to users that they are entering a private network domain Provide brand protection Enterprise dictates the terms of use Enterprise has legal recourse for trespassers
Availability Filter unwanted network noise Block spam, viruses, and probes Preserve bandwidth, for corporate business Preserve access to unauthenticated but authorized
information (e.g. public web site)
Substantial access, including employees and associates will be from external devices
Substantial access, including employees and associates will be from external devices
Copyright © 2005 Boeing. All rights reserved.
Defense Layer 2: Network Access Control
Infrastructure Services
PEP
Network Services Security Services Other Services
DNS
Directory
DHCP Identity / Authentication
Authorization / Audit Print
Systems Management
Voice
P E P
All Policy Enforcement Points controlled by centralized services
All Policy Enforcement Points controlled by centralized services
No peer intra-zone connectivity, all interaction via PEPs
No peer intra-zone connectivity, all interaction via PEPs
Policy Enforcement Points may divide the internal network into multiple controlled segments.
Policy Enforcement Points may divide the internal network into multiple controlled segments.
Enterprise users will also go through the protected interfaces
Enterprise users will also go through the protected interfaces
Rich set of centralized, enterprise services
Rich set of centralized, enterprise services
Segments contain malware and limit the scope of unmanaged machines
Segments contain malware and limit the scope of unmanaged machines
Routing
Copyright © 2005 Boeing. All rights reserved.
Defense Layer 3: Resource Access Control
Infrastructure Services
PEP
Network Services Security Services Other Services
DNS
Directory
DHCP Identity / Authentication
Authorization / Audit Print
Systems Management
Voice
P E P
Virtual Data CenterControlled access to resources via Policy Enforcement Point based on authorization decisions
Controlled access to resources via Policy Enforcement Point based on authorization decisions
Qualified servers located in a protected environment or Virtual Data Center
Qualified servers located in a protected environment or Virtual Data Center
Additional VDCs as required, no clients or end users inside VDC
Additional VDCs as required, no clients or end users inside VDC
Virtual Data Center
PEP
Routing
All access requests, including those from clients, servers, PEPs, etc. are routed through the identity management system, and the authentication and authorization infrastructures
All access requests, including those from clients, servers, PEPs, etc. are routed through the identity management system, and the authentication and authorization infrastructures
Copyright © 2005 Boeing. All rights reserved.
Defense Layer 4: Resource Availability
Infrastructure Services
PEP
Network Services Security Services Other Services
DNS
Directory
DHCP Identity / Authentication
Authorization / Audit Print
Systems Management
Voice
P E PCritical infrastructure services highly secured and tamperproof
Critical infrastructure services highly secured and tamperproof
Enterprise managed machines will have full suite of self protection tools, regardless of location
Enterprise managed machines will have full suite of self protection tools, regardless of location
Virtual Data Center
Administration done from secure environment within Virtual Data Center
Administration done from secure environment within Virtual Data Center
Resource servers isolated in Virtual Cages and protected from direct access to each other
Resource servers isolated in Virtual Cages and protected from direct access to each other
Virtual Data Center
PEP
Routing
Copyright © 2005 Boeing. All rights reserved.
Identity Management Infrastructure
Migration to federated identities Support for more principal types – applications, machines and resources
in addition to people. Working with DMTF, NAC, Open Group, TSCP, etc. to adopt a standard
Leaning towards the OASIS XRI v2 format
Authorization Infrastructure
PolicyDecision
Point
Identifier and Attribute Repository
Authentication Infrastructure
SAML X509
Audit Logs
Domain + IdentifierDomain + Identifier
Copyright © 2005 Boeing. All rights reserved.
Authentication Infrastructure
Offer a suite of certificate based authentication services Cross certification efforts:
Cross-certify with the CertiPath Bridge CA Cross-certify with the US Federal Bridge CA Operate a DoD approved External Certificate Authority
Associates: authenticate locally and send credentials
Associates: authenticate locally and send credentials
Boeing employees use X.509 enabled SecureBadge and PIN
Boeing employees use X.509 enabled SecureBadge and PIN
External credentials:First choice – SAML assertionsAlternative – X.509 certificates
External credentials:First choice – SAML assertionsAlternative – X.509 certificates
PEP
Virtual Data Center
PEP
Infrastructure ServicesFederated Identity Management
Authentication Authorization
Copyright © 2005 Boeing. All rights reserved.
Policy Decision Point
Authorization Infrastructure
Policies: legal, regulatory, IP, contract, etc.Attributes: principal, data, environmental, etc.
Access Requests/Decisions
Applications
Data
Access Requests
Person, Machine, or Application
Access
Policy Management
Audit
Logs
Data Tag Management
Common enterprise authorization services Standard data label template Loosely coupled policy decision and
enforcement structure Audit service
Policy Engine
Policy Enforcement
Point
PDPs and PEPs use standard protocols to communicate authorization information (LDAP, SAML, XACML, etc.)
PDPs and PEPs use standard protocols to communicate authorization information (LDAP, SAML, XACML, etc.)
Copyright © 2005 Boeing. All rights reserved.
Anti VirusAnti Spam Anti Spyware
Encryption, Signature
Host BasedIDS / IPS
Software Firewall
Resource Availability: Desktop
HardwareHardware
KernelKernel
ApplicationApplication
NetworkNetwork
ActiveProtection Technology
Port and DeviceControl
TrustedComputing,
Virtualization
PhysicalControls
Policy Decision Point
Layered defenses controlled by policies,Users responsible and empowered,Automatic real time security updates
Layered defenses controlled by policies,Users responsible and empowered,Automatic real time security updates
Health checked at network connection
Health checked at network connection
Copyright © 2005 Boeing. All rights reserved.
Resource Availability: Server / Application
Disk Farm
Application Blades Application Blade Detail
Guest OS Guest OS
Server 1 Hardware
Server 1 Host OS
Server 1 Virtual Machine
Guest OS
ApplicationA
In line network
encryption (IPSec)
VirtualNetwork
VirtualNetwork
Application A
in line network
encryption (IPSec)
Application A
in line network
packet filter
Server2
Server…
ServerN
Server1 Application N
Application …
Application C
Application B
Application A
PEP
Policy Decision Point
PEP
Separate admin accessSeparate admin access
No internal visibility between applications
No internal visibility between applications
Copyright © 2005 Boeing. All rights reserved.
Task B Resources
Task A Resources
Availability: Logical View
PEP
Data21
App20
App23
Data22
PEPPEPPEP
PEP
PEP
PEP
PEP
PEP
App01
Data00
Data03
Data02 PEPPEP
App11
App10
Data13
App12
PEP
PEPs breached only for duration of task
PEPs breached only for duration of task
All resources logically isolated by PEPs
All resources logically isolated by PEPs
Task patterns may be managed holistically
Task patterns may be managed holistically
Copyright © 2005 Boeing. All rights reserved.
Encryption and Signature Services
Supporting Services: Cryptographic Services
Key and CertificateServices
Applications
Whole Disk
File
Data Objects
Tunnels
E-MailE-Mail
OtherCommunications
IMPolicy Decision
Point
Policies determine encryption services
Policies determine encryption services
Policy driven encryption
engine
PKIServices
Encryption applications use a set of common encryption services
Encryption applications use a set of common encryption services Code
Centralized smartcard support
Centralized smartcard support
All keys and certificates managed by corporate PKI
All keys and certificates managed by corporate PKI
Copyright © 2005 Boeing. All rights reserved.
Supporting Services: Assessment and Audit Services
Log Analyzer
Vulnerability Scanner
Servers, network devices, etc.
PEPs and PDPs
IDS/IPS Sensors
Policy Decision Point
Logs
Automated scans of critical infrastructure components driven by policies and audit log analysis
Automated scans of critical infrastructure components driven by policies and audit log analysis
Logs collected from desktops, servers, network and security infrastructure devices
Logs collected from desktops, servers, network and security infrastructure devices
Policies determine assessment and audit, level and frequency
Policies determine assessment and audit, level and frequency
Copyright © 2005 Boeing. All rights reserved.
Protection Layer Summary
Identification
Authentication
Authorization
Authentication
Audit
Authorization
Audit
Authorization
Secure Location
Layer AccessRequirements
Defense Layer 1: Network Boundary
Defense Layer 4: Resource Availability
Defense Layer 3: Resource Access Control
Defense Layer 2: Network Access Control
Internet
Intranet
Enclave
Resource
Service
Basic Network Enclave Services
Application and Data Access
Only Administrative Access
DNS, DHCP, Directory Services
External Services (public web, etc.)
Services by Layer Access FlowAccess and
Defense Layers
Copyright © 2005 Boeing. All rights reserved.